Commit graph

171 commits

Author SHA1 Message Date
Cosmin Cojocar
9cee24cccd Add a rule which detects when pprof endpoint is automatically exposed
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-24 09:32:09 +10:00
Martin Vrachev
709ed1ba65 Change rule G204 to be less restrictive (#339)
Currently, rule G204 warns you about every single use of the
functions syscall.Exec, os.exec.CommandContext and os.Exec.Command.
This can create false positives and it's not accurate because you can
use those functions with perfectly secure arguments like hardcoded
strings for example.

With this change, G204 will warn you in 3 cases when passing arguments
to a function which starts a new process the arguments:
1) are variables initialized by calling another function
2) are functions
3) are command-line arguments or environmental variables

Closes: https://github.com/securego/gosec/issues/338

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-09-16 16:15:06 +02:00
Cosmin Cojocar
338b50debb Remove rule G105 which detects the use of math/big#Int.Exp
The big#Int.Exp used to be vulnerable in older versions of Go, but in the
meantime has been fixed (https://github.com/golang/go/issues/15184).

Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-10 11:59:05 +10:00
Cosmin Cojocar
81b6dc8872 Regenerate the TLS configuration based on latest Mozilla's recommended ciphers
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-09-10 11:57:18 +10:00
Cosmin Cojocar
f3445245a2 Fix the whitelist on G104 rule and add a test
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 11:15:11 +02:00
Cosmin Cojocar
78a49491a8 Load rules on each code sample in order to reconfigure them
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 11:14:27 +02:00
Cosmin Cojocar
ed9934fa48 Refactor the rules tests to be able to configure the analyzer config per test sample
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-06-25 10:29:19 +02:00
Ben Bytheway
04dc713f22 One approach for fixing the false positive identified in #325. 2019-06-13 08:22:48 +10:00
Cosmin Cojocar
3af4ae9ddb Fix some lint warnings
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-05-01 08:52:23 +02:00
Cosmin Cojocar
b49c9532a8 Add a flag which allows to scan also the tests files
Signed-off-by: Cosmin Cojocar <cosmin.cojocar@gmx.ch>
2019-04-29 06:55:24 +02:00
Martin Vrachev
62b5195dd9 Report for Golang errors (#284)
* Report for Golang errors

Right now if you use Gosec to scan invalid go file and if you report the result in a text, JSON, CSV or another file format you will always receive 0 issues.
The reason for that is that Gosec can't parse the AST of invalid go files and thus will not report anything.

The real problem here is that the user will never know about the issue if he generates the output in a file.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2019-02-27 08:24:06 +10:00
Cosmin Cojocar
f87af5fa72 Detect the unhandled errors even though they are explicitly ignored if the 'audit: enabled' setting is defined in the global configuration (#274)
* Define more explicit the global options in the configuration

* Detect in audit mode the unhandled errors even thought they are explicitly ignored
2019-01-14 21:37:40 +10:00
Cosmin Cojocar
14ed63d558 Do not flag the unhandled errors which are explicitly ignored
fixes #270
2019-01-14 10:06:30 +01:00
Cosmin Cojocar
24e3094d2a Extend the bind rule to handle the case when the net.Listen address in provided from a const 2018-12-04 09:22:06 +01:00
Cosmin Cojocar
9b32fcac16 Fix the bind rule to handle the case when the arguments of the net.Listen are returned by a function call 2018-12-04 09:22:06 +01:00
Edoardo Tenani
adb42220da whitelist strings.Builder method in rule G104 2018-11-11 09:57:28 +01:00
Yuki Ito
41809946d4 Make G201 ignore CallExpr with no args (#262) 2018-11-05 09:28:47 +01:00
Oleksandr Redko
3116b07de4 Fix typos in comments and rulelist (#256) 2018-10-11 14:45:31 +02:00
Cosmin Cojocar
64d58c2e51 Refactor the test code sample to support multiple files per sample 2018-09-28 11:42:25 +03:00
Delon Wong Her Laang
d3f1980e7a Fix false positives for SQL string concatenation with constants from another file (#247)
* Allow for SQL concatenation of nodes that resolve to literals

If node.Y resolves to a literal, it will not be considered as an issue.

* Fix typo in comment.

* Go through all files in package to resolve that identifier

* Refactor code and added comments.

* Changed checking to not var or func.

* Allow for supporting code for test cases.

* Resolve merge conflict changes.
2018-09-28 10:46:59 +03:00
Dale Hui
762ff3a709 Allow quoted strings to be used to format SQL queries (#240)
* Support stripping vendor paths when matching calls

* Factor out matching of formatter string

* Quoted strings are safe to use with SQL str formatted strings

* Add test for allowing quoted strings with string formatters

* Install the pq package for tests to pass
2018-09-25 10:40:05 +03:00
cschoenduve-splunk
145f1a0bf4 Removed wrapping feature (#238) 2018-09-04 18:08:37 +02:00
cschoenduve-splunk
419c9292c8 G107 - SSRF (#236)
* Initial SSRF Rule

* Added Selector evaluation

* Added source code tests

* Fixed spacing issues

* Fixed Spacingv2

* Removed resty test
2018-09-04 08:55:03 +02:00
cschoenduve-splunk
7fd94463ed update to G304 which adds binary expressions and file joining (#233)
* Added features to G304

* Linted

* Added path selectors

* Used better solution

* removed debugging lines

* fixed comments

* Added test code

* fixed a spacing change
2018-08-28 14:34:07 +10:00
cschoenduve-splunk
b6891998ce Add Fprintf to Rule G201 2018-08-21 09:31:38 +02:00
cschoenduve-splunk
a7cff91312 Small update to G201 and added ConcatString Function (#228) 2018-08-19 19:57:36 +02:00
Cosmin Cojocar
8dfa8dc015 Update README 2018-08-08 16:41:34 +02:00
Cosmin Cojocar
fb0dc73a96 Add sha1 to weak crypto primitives 2018-08-08 16:38:57 +02:00
Will Roden
6a156e2695 Merge branch 'master' into commandcontext 2018-07-26 09:13:43 -05:00
Cosmin Cojocar
893b87b343 Replace gas with gosec everywhere in the project 2018-07-19 18:42:25 +02:00
Grant Murphy
da26f64208
Rename github org (#214) 2018-07-19 17:40:28 +10:00
Cosmin Cojocar
1923b6d18e Rule which detects a potential path traversal when extracting zip archives (#208)
* Add a rule which detects file path traversal when extracting zip archive

* Detect if any argument is derived from zip.File

* Drop support for Go version 1.8
2018-07-18 22:31:07 +10:00
Will Roden
d7ec2fce7a add CommandContext as subprocess launcher 2018-06-03 16:43:28 -05:00
cosmincojocar
4ae8c95b40 Add an option for Go build tags (#201)
* Add an option for Go build tags

* Update README with a section for Go build tags
2018-04-20 09:45:03 +10:00
cosmincojocar
c25269ef39 Regenerate the TLS config (#199) 2018-04-16 15:44:11 +10:00
cosmincojocar
e809226800 Build improvments (#179)
* Add a semantic version to the usage text

* Add a comment to the version function

* Inject the version, git tag and build date as build variables

* Update README

* Fix lint warnings

* Update README

* Manage dependencies with dep tool instead of godep

* Add a Makefile for common build tasks

* Update the build file to use the make tool

* Update Dockerfile

* Add docker entry point in to make the passing of arguments easy

* Update README

* Add missing tools to the build

* Drop 1.7 support and add 1.10

* Fix Go 1.10 according with the travis guidelines

https://docs.travis-ci.com/user/languages/go/

* Update the tls-observatory package

* Fix lint warnings

* Change the output of the tests to be more verbose

* Check if the are build errors before executing the rule test
2018-03-13 08:57:10 +10:00
jonmcclintock
2115402409 Add the rule ID to issues (#188) 2018-03-12 18:18:44 +10:00
Grant Murphy
66aea5cd99 fix gofmt errors 2018-03-09 12:49:01 +10:00
Grant Murphy
90fe5cb5ab Port readfile rule to include ID and metadata 2018-03-09 11:27:41 +10:00
Grant Murphy
58a48c471c Merge branch 'nosec-specify-rule' of git://github.com/jonmcclintock/gas into jonmcclintock-nosec-specify-rule 2018-03-09 10:54:34 +10:00
andyleap
f3c8d59863 Switch to valuespec instead of gendecl for hardcoded credential rule (#186) 2018-03-09 09:49:49 +10:00
coredefend
e76b258456 New Rule Tainted file (#183)
* Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178)

* Add a tool which generates the TLS rule configuration from Mozilla server side
TLS configuration

* Update README

* Remove trailing space in README

* Update dependencies

* Fix the commends of the generated functions

* Add nil pointer check to rule. (#181)

TypeOf returns the type of expression e, or nil if not found. We are
calling .String() on a value that may be nil in this clause.

Relates to #174

* Add support for YAML output format (#177)

* Add YAML output format

* Update README

* added rule to check for tainted file path

* added #nosec to main/issue.go

* updated test case import
2018-03-09 09:23:27 +10:00
Jon McClintock
6b484e734e Run gofmt 2018-03-03 00:03:39 +00:00
Jon McClintock
1429033aca Add support for #excluding specific rules 2018-03-02 23:44:51 +00:00
Grant Murphy
c6183b4d5c
Add nil pointer check to rule. (#181)
TypeOf returns the type of expression e, or nil if not found. We are
calling .String() on a value that may be nil in this clause.

Relates to #174
2018-02-28 04:29:25 +10:00
cosmincojocar
edb362fc9d Add a tool to generate the TLS configuration form Mozilla's ciphers recommendation (#178)
* Add a tool which generates the TLS rule configuration from Mozilla server side
TLS configuration

* Update README

* Remove trailing space in README

* Update dependencies

* Fix the commends of the generated functions
2018-02-21 15:59:18 +10:00
cosmincojocar
1c58cbd378 Make the folder permissions more permissive to avoid false positives (#175) 2018-02-15 19:53:01 +10:00
Cosmin Cojocar
230d286f4e Fix gofmt formatting 2018-02-10 20:04:58 +01:00
Grant Murphy
6b28d5c0e6
Merge pull request #166 from cosmincojocar/fprint_whitelist
Add Fprint, Fprintf, Fprintln to NoErrorCheck whitelist
2018-02-08 11:54:44 +10:00
Cosmin Cojocar
6cd7a6d7fe Add Fprint, Fprintf, Fprintln to NoErrorCheck whitelist 2018-02-07 14:13:17 +01:00
Cosmin Cojocar
179c178924 Add some review fixes 2018-02-07 09:23:52 +01:00
Cosmin Cojocar
d3c3cd6419 Add a rule to detect the usage of ssh InsecureIgnoreHostKey function 2018-02-06 16:56:26 +01:00
Grant Murphy
a97a196160 Unused import 2018-01-30 09:35:35 +10:00
Grant Murphy
7c7fe752b6 Fix go vet errors in tests 2018-01-30 09:32:04 +10:00
Jon McClintock
1ca335016a Rebase to master 2018-01-22 18:45:07 +00:00
Jon McClintock
8eb9cc02a4 Adjust SQL format-string rules to ignore inherently safe formats 2018-01-22 18:34:57 +00:00
Grant Murphy
085e0f65af
Merge pull request #150 from GoASTScanner/experimental
Use explicit packages in call lists
2018-01-05 23:14:24 +10:00
Grant Murphy
aecbc873ef Use explicit packages in call lists
By allowing partial matches of selectors there are chances of collisions
such as those in issue #145, this removes it to expect explicit packages
for each rule.

Closes #145
2018-01-05 23:05:53 +10:00
Grant Murphy
9a2bec1cd0
Merge pull request #149 from GoASTScanner/experimental
Fix nil pointer dereference in complit types
2018-01-05 22:20:21 +10:00
Grant Murphy
b6f85d50da Fix nil pointer dereference in complit types 2018-01-05 22:19:08 +10:00
Grant Murphy
3520a5ae85
Merge pull request #146 from GoASTScanner/experimental
Merge experimental / refactor
2018-01-05 22:08:59 +10:00
Grant Murphy
e925d3c347 Migrated old test cases. 2017-12-28 16:54:10 +10:00
Grant Murphy
af25ac1f6e fix golint errors picked up by hound-ci 2017-12-13 22:35:47 +10:00
Grant Murphy
cfa432729c fix hound-ci errors 2017-12-13 17:39:00 +10:00
Grant Murphy
3caf7c3154 Add test cases 2017-09-16 10:12:27 +10:00
Cosmin Cojocar
c36954f04a Add the CHACHA20 to good ciphers in modern tls check 2017-08-30 16:00:56 +02:00
Grant Murphy
6943f9e5e4 Major rework of codebase
- Get rid of 'core' and move CLI to cmd/gas directory
- Migrate (most) tests to use Ginkgo and testutils framework
- GAS now expects package to reside in $GOPATH
- GAS now can resolve dependencies for better type checking (if package
  on GOPATH)
- Simplified public API
2017-07-19 15:17:00 -06:00
Grant Murphy
65b18da711 Hack to address circular dependency in rulelist 2017-05-09 21:26:12 -07:00
Grant Murphy
bf78d027a9 Restructure and introduce a standalone config 2017-04-28 14:46:26 -07:00
Grant Murphy
cacf21f3c0 Restructure to focus on lib rather than cli 2017-04-26 08:08:46 -07:00
Cosmin Cojocar
5b71c2b05f Add a test for math/big.Int.Exp rule 2017-04-10 16:10:24 +02:00
Cosmin Cojocar
65b8e74ecd Add a rule for big.Exp function call 2017-04-10 14:25:48 +02:00
mockturtl
b74c83e7e7 BindsToAllNetworkInterfaces should check TLS also 2017-03-28 13:24:22 -04:00
Grant Murphy
177fa7dde0 Merge pull request #122 from GoASTScanner/testfixes
Correct bad test cases and intermitent failure
2017-03-22 10:51:44 -07:00
Grant Murphy
622440f167 Correct bad test cases and intermitent failure
The filelist test was non-deterministic and causing intermittent
failures due to ordering. This change will ensure that the file list
returns an ordered list of files in the String() method now.

Additionally there were a number of test cases that the sample code
was incorrect, or would not compile. These have also been corrected.
2017-03-15 08:47:40 -07:00
Cosmin Cojocar
2262f5d474 Add a check for PreferServerCipherSuites flag of tls.Config 2017-03-15 15:05:44 +01:00
Grant Murphy
4099783722 Go 1.5 does not support width precision specifier 2017-01-14 14:39:22 -08:00
Grant Murphy
9bc02396e8 Introduce entropy checking of string
This will hopefully reduce the number of false positives when it comes
to hard coded credentials. The zxcvbn library is used to calculate the
entropy of the string. By default the first 16 characters are considered
as doing the entropy check for strings much longer than that introduces
a fairly significant performance hit.
2017-01-14 13:45:34 -08:00
Grant Murphy
a7ec9ccc63 Backport test case for 1.5
Go 1.5 does not have a rand.Read function so need to adjust test
definitions accordingly.
2017-01-13 13:31:22 -08:00
Grant Murphy
f9868aa8c8 Fix additional test case 2017-01-13 12:46:16 -08:00
Grant Murphy
ab4867bc76 Fix test cases with invalid sample code 2017-01-13 12:40:49 -08:00
Grant Murphy
d1303fee0b Improve specitivity of error message for GenDecl 2017-01-11 10:12:11 -08:00
Grant Murphy
1e736c8838 Fix test case (invalid sample code) 2017-01-11 09:51:25 -08:00
Grant Murphy
d1e67fc995 Ensure hardcoded credentials only examines strings
The hardcoded credentials test should only consider assignment of const strings.

Related to issue #108
2017-01-11 09:43:05 -08:00
Grant Murphy
191750f44c Recreate fileset each time we process a file
Some files were being counted multiple times here and giving a skewed
result for line numbers processed.

Closes #100
2016-12-02 15:21:13 -08:00
Grant Murphy
6ace60b950 Address unhandled error conditions
Closes #95
2016-12-02 10:20:23 -08:00
Grant Murphy
129be1561b Update error test case
There were several issues with the error test case that have been
addressed in this commit.

- It is possible to specify a whitelist of calls that error handling
  should be ignored for.
- Additional support for ast.ExprStmt for cases where the error is
  implicitly ignored.

There were several other additions to the helpers and call list in order
to support this type of functionality.

Fixes #54
2016-11-18 14:09:10 -08:00
Grant Murphy
63e8b1af23 Update unsafe rule to match package explicitly
Unsafe is not tracked in Package.Imports(), the regexp was not explicit
enough and foounsafe.Blah() would trigger an error.
2016-11-15 13:53:36 -08:00
Grant Murphy
39b18a1539 Remove debug print messages 2016-11-15 12:36:02 -08:00
Grant Murphy
ca42de24ba Initialize fresh import info for each file
The import information was being persisted between files. This was
causing false positives.

Fixes #87
2016-11-15 11:58:28 -08:00
Grant Murphy
c7bb2dd3b7 Fix additional crash condition
A var GenDecl may not have a value assigned. This error case must be
handled.
2016-11-14 15:15:17 -08:00
Grant Murphy
5012c34d48 Handle inbalanced declaration of constants
The following code would create a panic condition:

const foo, bar = "some thing"

Fixes #84
2016-11-14 13:57:55 -08:00
Grant Murphy
a3fcd96f57 Update hardcoded credentials rule for GenDecls
The hardcoded credentials rule will now also examine GenDecls so will
work with global vars and constants.

Fixes #74
2016-11-13 12:57:59 -08:00
Grant Murphy
bf103da519 Allow rules to register against multiple ast nodes
Update the AddRule interface to allow rules to register interest in
multiple ast.Nodes. Adds more flexibility to how rules can work, and was
needed to fix the hard coded credentials test specifically.
2016-11-13 12:55:31 -08:00
Grant Murphy
1d732b8ae3 Ensure os.OpenFile file permissions are checked
In addition configuration file may be used to set the permission level.

Closes #53
2016-11-12 17:57:20 -08:00
Grant Murphy
be96ef273d Fix alias logic 2016-11-07 20:10:30 -08:00
Grant Murphy
e0db3f404a Merge branch 'rand-pkg-helper' of git://github.com/tam7t/gas into tam7t-rand-pkg-helper 2016-11-07 20:03:51 -08:00
Grant Murphy
20f2a98ce8 Ensure initialization only imports are ignored
Blacklisted imports should not report failures when a module is imported
for side-effects only using the blank identifier.

Closes #59
2016-11-07 09:28:37 -08:00
Grant Murphy
7a275fd0ad MatchCallByPackage updated to avoid GetCallObject
There seems to be an inconsistency in the way that the type.Info.Uses
map is populated by the type checker in Go 1.5 and the latest release.

It is possible to ascertain the package that relates to an object 1.7.x
release but this does not work for earlier Go versions.

To work around this limitation we now track imports, and monitor if they
are aliased or initalization only imports.
2016-11-07 09:13:20 -08:00
Tommy Murphy
afb84ff20c
rand: use a MatchCallByPackage helper 2016-11-06 12:31:12 -05:00